From a81cf75e138480ec390d85347c405db41625b36f Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 3 Aug 2025 01:00:01 +0200 Subject: [PATCH] update.. --- files/homedirs/back/_bashrc | 4 + files/homedirs/back/_vimrc | 1 + files/homedirs/chris/.vimrc | 2 + files/homedirs/chris/_bashrc | 4 + files/homedirs/root/_bashrc | 4 + files/homedirs/sysadm/_bashrc | 4 + files/homedirs/sysadm/_vimrc | 2 + host_vars/:q | 708 ++++++++++++++++++ host_vars/backup.oopen.de.yml | 1 + host_vars/backup.warenform.de.yml | 3 + host_vars/file-ebs.ebs.netz.yml | 85 +++ ...a.netz.yml => ga-st-gw-neu.ga.netz.yml.00} | 0 host_vars/ga-st-gw-neu.ga.netz.yml.01 | 592 +++++++++++++++ host_vars/ga-st-gw.ga.netz.yml | 105 +-- host_vars/ga-st-gw.ga.netz.yml.00 | 583 ++++++++++++++ host_vars/gw-fm.oopen.de.yml | 234 ++++++ host_vars/zapata.opp.netz.yml | 1 + hosts | 18 + 18 files changed, 2303 insertions(+), 48 deletions(-) create mode 100644 host_vars/:q rename host_vars/{ga-st-gw-neu.ga.netz.yml => ga-st-gw-neu.ga.netz.yml.00} (100%) create mode 100644 host_vars/ga-st-gw-neu.ga.netz.yml.01 create mode 100644 host_vars/ga-st-gw.ga.netz.yml.00 create mode 100644 host_vars/gw-fm.oopen.de.yml diff --git a/files/homedirs/back/_bashrc b/files/homedirs/back/_bashrc index e6124f0..76c1884 100644 --- a/files/homedirs/back/_bashrc +++ b/files/homedirs/back/_bashrc @@ -111,3 +111,7 @@ export EDITOR=vim ## - set beep more quiet ## - #xset b 10 500 50 + +# turn off the beep (only in bash tab-complete ?) +# only if interactiv shell +[[ "$-" =~ "i" ]] && bind 'set bell-style none' diff --git a/files/homedirs/back/_vimrc b/files/homedirs/back/_vimrc index 0bf54d9..e6fac60 100644 --- a/files/homedirs/back/_vimrc +++ b/files/homedirs/back/_vimrc @@ -171,3 +171,4 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ set laststatus=2 highlight StatusLine cterm=none ctermfg=white ctermbg=blue +set belloff=all diff --git a/files/homedirs/chris/.vimrc b/files/homedirs/chris/.vimrc index 52e08f4..75d1c2d 100644 --- a/files/homedirs/chris/.vimrc +++ b/files/homedirs/chris/.vimrc @@ -175,4 +175,6 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ set laststatus=2 highlight StatusLine cterm=none ctermfg=white ctermbg=blue +set belloff=all + colorscheme PaperColor diff --git a/files/homedirs/chris/_bashrc b/files/homedirs/chris/_bashrc index e4ca439..3641e19 100644 --- a/files/homedirs/chris/_bashrc +++ b/files/homedirs/chris/_bashrc @@ -113,3 +113,7 @@ export EDITOR=vim ## - set beep more quiet ## - #xset b 10 500 50 + +# turn off the beep (only in bash tab-complete ?) +# only if interactiv shell +[[ "$-" =~ "i" ]] && bind 'set bell-style none' diff --git a/files/homedirs/root/_bashrc b/files/homedirs/root/_bashrc index dca6a2a..72b763c 100644 --- a/files/homedirs/root/_bashrc +++ b/files/homedirs/root/_bashrc @@ -76,3 +76,7 @@ export LINES=64 ## - set beep more quiet ## - #xset b 10 500 50 + +# turn off the beep (only in bash tab-complete ?) +# only if interactiv shell +[[ "$-" =~ "i" ]] && bind 'set bell-style none' diff --git a/files/homedirs/sysadm/_bashrc b/files/homedirs/sysadm/_bashrc index 98fc5e6..027dffd 100644 --- a/files/homedirs/sysadm/_bashrc +++ b/files/homedirs/sysadm/_bashrc @@ -73,3 +73,7 @@ export LINES=64 ## - set beep more quiet ## - #xset b 10 500 50 + +# turn off the beep (only in bash tab-complete ?) +# only if interactiv shell +[[ "$-" =~ "i" ]] && bind 'set bell-style none' diff --git a/files/homedirs/sysadm/_vimrc b/files/homedirs/sysadm/_vimrc index 52e08f4..75d1c2d 100644 --- a/files/homedirs/sysadm/_vimrc +++ b/files/homedirs/sysadm/_vimrc @@ -175,4 +175,6 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ set laststatus=2 highlight StatusLine cterm=none ctermfg=white ctermbg=blue +set belloff=all + colorscheme PaperColor diff --git a/host_vars/:q b/host_vars/:q new file mode 100644 index 0000000..14424c2 --- /dev/null +++ b/host_vars/:q @@ -0,0 +1,708 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp97s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + description: + address: 192.168.122.10 + netmask: 24 + gateway: 192.168.122.254 + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp97s0 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # inline hook scripts + pre-up: + - !!str "ip link set dev enp97s0 up" # pre-up script lines + up: [] #up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.122.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - anw-km.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 172.16.122.254 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_back_mount_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/mount' + - 'ALL=(root) NOPASSWD: /usr/bin/umount' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + +samba_server_ip: 192.168.122.10 +samba_server_cidr_prefix: 24 + +samba_workgroup: WORKGROUP + +samba_netbios_name: FILE-KM + +samba_server_min_protocol: !!str NT1 + +samba_groups: + - name: kanzlei + group_id: 1100 + - name: a-jur + group_id: 1110 + - name: intern + group_id: 1120 + - name: aulmann + group_id: 1130 + - name: howe + group_id: 1140 + - name: stahmann + group_id: 1150 + - name: traine + group_id: 1160 + - name: public + group_id: 1170 + - name: alle + group_id: 1180 + + + +samba_user: + + - name: advoware + groups: + - advoware + password: '9WNRbc49m3' + + - name: a-jur + groups: + - a-jur + - alle + - intern + - kanzlei + password: 'a-jur' + + - name: andrea + groups: + - advoware + - aulmann + - howe + - stahmann + - traine + - public + password: 'fXc3bmK9gj' + + - name: andreas + groups: + - a-jur + - advoware + - alle + - kanzlei + password: 'YKQRa.M9-6rL' + + - name: aphex2 + groups: + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'J3KMRprK9H' + + - name: berenice + groups: + - kanzlei + - a-jur + - alle + password: 'berenice' + + - name: beuster + groups: + - advoware + - aulmann + - howe + - stahmann + - traine + - public + - alle + password: 'zlm17Kx' + + - name: buero + groups: + - kanzlei + - a-jur + - alle + password: 'buero' + + - name: buero2 + groups: + - kanzlei + - a-jur + - alle + password: 'buero2' + + - name: buero3 + groups: + - kanzlei + - a-jur + - alle + password: 'buero3' + + - name: buero4 + groups: + - kanzlei + - a-jur + - alle + password: 'buero4' + + - name: buero7 + groups: + - kanzlei + - a-jur + - alle + password: 'buero7' + + - name: chris + groups: + - a-jur + - advoware + - alle + - aulmann + - intern + - kanzlei + - stahmann + - traine + - public + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30383265366434633965346530666535363761396165393434643665393137353765653739636364 + 6330623334353763613065343336306434376335646666380a363030363335656261656236636562 + 63663763616630383264303039336562626537366634303636356237323630666635356130383165 + 3837613337343533650a663061366230353531316535656433643162353063383534323833323138 + 3430 + + - name: christina + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'qvR7zX4Lhs' + + - name: federico + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'zHfj9g3NcC' + +# - name: gerhard +# groups: +# - advoware +# - alle +# - aulmann +# - howe +# - stahmann +# - traine +# - public +# password: 'bHdhzWnTj9' + + - name: ho-st1 + groups: + - alle + - howe + - stahmann + password: '44-Ro-440' + +# - name: howe-staff-1 +# groups: +# - advoware +# - alle +# - aulmann +# - howe +# password: '' + + - name: irina + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'W9NKv39pXW' + + - name: jessica + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'bV3pjPtjkR' + +# - name: laura +# groups: +# - alle +# - aulmann +# - howe +# - stahmann +# - traine +# password: '99-Hamburg-990' + + - name: lenovo3 + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'fndvLmrt7W' + + - name: lenovo4 + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'tpCMmTKj7H' + + - name: lenovo5 + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: 'L5Hannover51' + + - name: lenovo6 + groups: + - advoware + - alle + - aulmann + - howe + - stahmann + - traine + password: '66koeln66' + + - name: rm-buero1 + groups: + - alle + - a-jur + - kanzlei + password: '' + + - name: rm-buero2 + groups: + - alle + - a-jur + - kanzlei + password: '' + + - name: rolf + groups: + - alle + - aulmann + - howe + - stahmann + - traine + - public + password: '4xNVNFXgP4' + + - name: sysadm + groups: + - a-jur + - advoware + - alle + - aulmann + - intern + - kanzlei + - stahmann + - traine + - public + password: 'Ax_GSHh5' + + - name: thomas + groups: + - advoware + - alle + - traine + password: '55-tho-mas-550' + + - name: Tresen + groups: + - a-jur + - advoware + - alle + - kanzlei + - howe + - stahmann + - traine + - public + password: 'maltzwo2' + + - name: winadm + groups: + - a-jur + - advoware + - alle + - intern + - kanzlei + - public + password: 'Ax_GSHh5' + + + +base_home: /data/home + +remove_samba_users: + - name: howe-staff-1 + - name: gerhard + - name: laura + +#remove_samba_users: [] +#remove_samba_users: +# - name: evren + +samba_shares: + + - name: a-jur + comment: a-jur Dokumente + path: /data/samba/a-jur + group_valid_users: a-jur + group_write_list: a-jur + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: kanzlei + comment: Kanzlei auf Fileserver + path: /data/samba/kanzlei + group_valid_users: kanzlei + group_write_list: kanzlei + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: install + comment: Install auf Fileserver + path: /data/samba/no-backup-shares/install + group_valid_users: intern + group_write_list: intern + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: false + + - name: aulmann + comment: Aulmann auf Fileserver + path: /data/samba/Aulmann + group_valid_users: aulmann + group_write_list: aulmann + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: howe + comment: Howe auf Fileserver + path: /data/samba/Howe + group_valid_users: howe + group_write_list: howe + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: stahmann + comment: Stahmann auf Fileserver + path: /data/samba/Stahmann + group_valid_users: stahmann + group_write_list: stahmann + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: traine + comment: Traine auf Fileserver + path: /data/samba/Traine + group_valid_users: traine + group_write_list: traine + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: public + comment: Public auf Fileserver + path: /data/samba/public + group_valid_users: public + group_write_list: public + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: Advoware-Schriftverkehr + comment: Advoware Dokumente + path: /data/samba/Advoware-Schriftverkehr + group_valid_users: advoware + group_write_list: advoware + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + + - name: Advoware-Backup + comment: Advoware Dokumente + path: /data/samba/Advoware-Backup + group_valid_users: intern + group_write_list: intern + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: false + + - name: alle + comment: Alle auf Fileserver + path: /data/samba/Alle + group_valid_users: alle + group_write_list: alle + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + vfs_object_recycle_is_visible: true + +# - name: web +# comment: Web auf Fileserver +# path: /data/samba/Web +# group_valid_users: web +# group_write_list: web +# file_create_mask: !!str 660 +# dir_create_mask: !!str 2770 +# vfs_object_recycle: true +# recycle_path: '@Recycle' + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/backup.oopen.de.yml b/host_vars/backup.oopen.de.yml index 1ed11ce..8ca0e3d 100644 --- a/host_vars/backup.oopen.de.yml +++ b/host_vars/backup.oopen.de.yml @@ -329,6 +329,7 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUnxlKIffm8a5BmoQE40h8ut0R6eCxcm+Iewv3evmE9 root@oolm-shop' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ylglAkPst7G6kES2lE96ECp0AGXGjzCVkZSqGVru6 root@oolm-shop-dev' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJJCzTmrRp0s0qpkf9HYyx4lL+zs1jTAYcCsvqpJ72p root@super-opferhilfefonds' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr' diff --git a/host_vars/backup.warenform.de.yml b/host_vars/backup.warenform.de.yml index 30c58e3..3098a32 100644 --- a/host_vars/backup.warenform.de.yml +++ b/host_vars/backup.warenform.de.yml @@ -252,6 +252,9 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1RkJYM8qcEagoKt9gNVaeBbXZEJscqIBNnhL/KZfSA root@munin.oopen.de' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj2SdZgxG4NCjUiCXY7msCG+Vn6MQ5jsGxrs2qn1QZh root@mx' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQAvCK/h7+8h8hPm3WyeEdBbhY4SdOSWJYxuFW24XbM root@nd' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwG3cYT1S5ttaf7OCB2dfBAg4FFA3OO3HPTkiclaVFi root@server22' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyse/Fby2JiHjM10uotVfsBYO0W1EgmtFG2q+Q1xe38 root@server24' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIH9V1aqgZSqu7vfK9e5qGKm+ICHd8VglRr0Brm4kXfu root@server25' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOOYhdtNPAQP8BlgSYBaMfWl8Yv4Y9ww7SWeLOn0HXH root@web0' diff --git a/host_vars/file-ebs.ebs.netz.yml b/host_vars/file-ebs.ebs.netz.yml index ee571b1..bdc0d36 100644 --- a/host_vars/file-ebs.ebs.netz.yml +++ b/host_vars/file-ebs.ebs.netz.yml @@ -174,6 +174,67 @@ resolved_fallback_nameserver: - 172.16.182.254 +# --- +# vars used by roles/common/tasks/users +# --- + +default_user: + + - name: chris + password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + group: localadmin + home: /home/localadmin + password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup' + + + - name: borg + user_id: 1065 + group_id: 1065 + group: borg + home: /home/borg + password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAMFUnBjVV0WjUlhd2FT49nXlpHUDPEwaJ7bAvRJfB56 root@file-ebs' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBK8Ngbtl8Yjtk1JkT0Xn1HVIAHKdtfh0qicnnJTa3Kx root@gw-ebs' + + # --- # vars used by roles/common/tasks/cron.yml # --- @@ -261,6 +322,9 @@ samba_netbios_name: FILE-EBS samba_groups: + - name: sysadm + group_id: 1050 + - name: admin group_id: 1100 @@ -312,6 +376,12 @@ samba_user: - recherche password: 'IrcR3uo-QJ.5' + - name: winadm + groups: + - admin + - sysadm + password: 'ZbPS.Lh6d-9E' + - name: buero groups: - alle @@ -452,6 +522,21 @@ samba_shares: vfs_object_recycle: false + # --- + # - This share will be written by Windows Server 2016 configured at + # - "Windows Zubehör" -> "Windows Server-Sicherung" + # --- + - name: WinServer2022-Backup + comment: WinServer2022-Backup on Fileserver + path: /data/samba/shares/WinServer2022-Backup + group_valid_users: sysadm + group_write_list: sysadm + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 + guest_ok: !!str yes + vfs_object_recycle: false + + # ============================== diff --git a/host_vars/ga-st-gw-neu.ga.netz.yml b/host_vars/ga-st-gw-neu.ga.netz.yml.00 similarity index 100% rename from host_vars/ga-st-gw-neu.ga.netz.yml rename to host_vars/ga-st-gw-neu.ga.netz.yml.00 diff --git a/host_vars/ga-st-gw-neu.ga.netz.yml.01 b/host_vars/ga-st-gw-neu.ga.netz.yml.01 new file mode 100644 index 0000000..48c0378 --- /dev/null +++ b/host_vars/ga-st-gw-neu.ga.netz.yml.01 @@ -0,0 +1,592 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: lan0 + headline: lan0 - Temporary LAN network + auto: false + family: inet + method: static + address: 192.168.11.18 + gateway: 192.168.11.254 + netmask: 24 + + - device: lan4 + headline: lan4 - Uplink static line (radio) to Altenschlirf + auto: true + family: inet + method: static + address: 172.16.111.254 + netmask: 24 + up: + # - For management Antennas + - /sbin/ip link add link lan4 name lan4.111 type vlan id 111 + post-up: + # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) + # - + # - Telefon Altenshlirf + - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253 + # User Network Altenshlirf + - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253 + # Management Network Altenschlirf + - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253 + # WLan Router (Accesspoints) Altenshlirf + - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253 + # # WLan Networks Altenshlirf + - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 + # DSL via Fritzbox Altenschlirf + - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 + # - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network) + - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 + # - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network) + - /sbin/ip route add 10.231.0.0/20 via 172.16.111.253 + # VPN home Network Altenschlirf + # + - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 + # VPN 'gw-ckubu' Network Altenschlirf + # + - /sbin/ip route add 10.1.10.0/24 via 172.16.111.253 + # private networks 'ckubu' + # + # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), + # so we route them back to that gateway.. + - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253 + - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 + + + - device: lan4.111 + headline: lan4.111 - network 10.10.111.0 (management antennas) + auto: true + family: inet + method: static + address: 10.10.111.254 + netmask: 24 + + + - device: lan6 + headline: lan6 - holds VLAN 211 device for Network Telefons Stockhausen + auto: false + family: inet + method: manual + up: + - /sbin/ip link add link lan6 name lan6.211 type vlan id 211 + + + - device: lan6.211 + headline: lan6.211 - Network Telefons Stockhausen + auto: true + family: inet + method: static + # Note: + # !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon). + # This LANCom Router IS NOT pngable !! + address: 172.16.211.1 + netmask: 24 + pre-up: + - /sbin/ifconfig lan6 up + + + - device: lan8 + headline: lan8 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) + auto: true + family: inet + method: static + address: 172.16.11.1 + netmask: 24 + gateway: 172.16.11.254 + + + - device: lan9 + headline: lan9 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 + auto: true + family: inet + method: static + address: 172.16.13.1 + netmask: 24 + gateway: 172.16.13.254 + + + - device: lan7 + headline: lan7 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) + auto: true + family: inet + method: static + address: 172.16.12.1 + netmask: 24 + gateway: 172.16.12.254 + + + # ---------- + # Note: Install the 'ifenslave' package, necessary to enable bonding: + # + # apt-get install ifenslave + # ---------- + - device: bond0 + headline: bond0 - LAG (Link Aggregation) on devices lan2 and lan10 + auto: true + family: inet + method: static + address: 10.1.9.254 + netmask: 24 + bond: + slaves: lan2 lan10 + # Mode 4 (802.3ad) + # + # also possible here: + # - Mode 5: balance-tlb + # - Mode 6: balance-alb + mode: 4 + miimon: 100 + lacp-rate: 1 + ad-select: count + downdelay: 200 + updelay: 200 + post-up: + # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24 + - /sbin/ip link add link bond0 name bond0.11 type vlan id 11 + # VLAN 78 for network Georgshaus 192.168.78.0/24 + - /sbin/ip link add link bond0 name bond0.78 type vlan id 78 + + + - device: bond0.11 + headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen) + auto: true + family: inet + method: static + address: 10.10.11.254 + netmask: 24 + + + - device: bond0.78 + headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?) + auto: true + family: inet + method: static + address: 192.168.78.254 + netmask: 24 + + + # ---------- + # Note: Install the 'ifenslave' package, necessary to enable bonding: + # + # apt-get install ifenslave + # ---------- + - device: bond1 + headline: bond1 - LAG (Link Aggregation) on devices lan3 and lan11 - Main Network Stockhausen + auto: true + family: inet + method: static + address: 192.168.11.254 + netmask: 24 + nameservers: + - 192.168.11.1 + - 192.168.10.3 + search: ga.netz ga.intra + bond: + slaves: lan3 lan11 + # Mode 4 (802.3ad) + # + # also possible here: + # - Mode 5: balance-tlb + # - Mode 6: balance-alb + mode: 4 + miimon: 100 + lacp-rate: 1 + ad-select: count + downdelay: 200 + updelay: 200 + post-up: + # VLAN 121 - for Ubiquiti UniFi Accesspoints + - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 + # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests + - /sbin/ip link add link bond1 name bond1.131 type vlan id 131 + # Route ??? + - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 + # Route to management network campus + - /sbin/ip route add 10.72.1.0/24 via 192.168.11.72 + # Route to LAN campus + - /sbin/ip route add 192.168.72.0/24 via 192.168.11.72 + # Route to WLAN campus + - /sbin/ip route add 192.168.73.0/24 via 192.168.11.72 + + + - device: bond1.121 + headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET + auto: true + family: inet + method: static + address: 10.121.15.254 + netmask: 20 + + + - device: bond1.131 + headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET + auto: true + family: inet + method: static + address: 10.131.15.254 + netmask: 20 + + + - device: bond1:ns + headline: bond1:ns - Alias IP on bond1 device for Nameservice + auto: true + family: inet + method: static + address: 192.168.11.1 + netmask: 32 + + + - device: bond1:1 + headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network + auto: true + family: inet + method: static + address: 10.10.9.254 + netmask: 24 + + + - device: bond1:ap + headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints + auto: true + family: inet + method: static + address: 10.112.1.254 + netmask: 24 + post-up: + # - Wireless Networks routed through appropriate Accesspoints + # - + - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1 + - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2 + - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3 + - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4 + - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5 + - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6 + - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7 + - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8 + - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9 + - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10 + - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11 + - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12 + - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13 + - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14 + - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 + + + - device: bond1:ipmi + headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen + auto: true + family: inet + method: static + address: 10.11.11.254 + netmask: 24 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - ga.netz + - ga.intra + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 192.168.10.1 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: maadmin + password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + + - name: wadmin + password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + - maadmin + - wadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Gateway Stockhausen' + - 192.168.11.1 + - '# Domain Controller Stockhausen' + - 192.168.10.3 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - '# Domain Controller Altenschlirf' + - 192.168.10.3 + - 192.168.10.6 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + - '# Mail Relay System' + - 192.168.10.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - internaldns + +bind9_transfer_source: !!str "192.168.11.1" +bind9_notify_source: !!str "192.168.11.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/ga-st-gw.ga.netz.yml b/host_vars/ga-st-gw.ga.netz.yml index 67745f7..5141134 100644 --- a/host_vars/ga-st-gw.ga.netz.yml +++ b/host_vars/ga-st-gw.ga.netz.yml @@ -20,8 +20,17 @@ network_interface_required_packages: network_interfaces: - - device: eth2 - headline: eth2 - Uplink static line (radio) to Altenschlirf + - device: lan0 + headline: lan0 - Temporary LAN network + auto: false + family: inet + method: static + address: 192.168.11.18 + #gateway: 192.168.11.254 + netmask: 24 + + - device: lan4 + headline: lan4 - Uplink static line (radio) to Altenschlirf auto: true family: inet method: static @@ -29,7 +38,7 @@ network_interfaces: netmask: 24 up: # - For management Antennas - - /sbin/ip link add link eth2 name eth2.111 type vlan id 111 + - /sbin/ip link add link lan4 name lan4.111 type vlan id 111 post-up: # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) # - @@ -63,8 +72,8 @@ network_interfaces: - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 - - device: eth2.111 - headline: eth2.111 - network 10.10.111.0 (management antennas) + - device: lan4.111 + headline: lan4.111 - network 10.10.111.0 (management antennas) auto: true family: inet method: static @@ -72,17 +81,17 @@ network_interfaces: netmask: 24 - - device: eth8 - headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen + - device: lan6 + headline: lan6 - holds VLAN 211 device for Network Telefons Stockhausen auto: false family: inet method: manual up: - - /sbin/ip link add link eth8 name eth8.211 type vlan id 211 + - /sbin/ip link add link lan6 name lan6.211 type vlan id 211 - - device: eth8.211 - headline: eth8.211 - Network Telefons Stockhausen + - device: lan6.211 + headline: lan6.211 - Network Telefons Stockhausen auto: true family: inet method: static @@ -92,11 +101,11 @@ network_interfaces: address: 172.16.211.1 netmask: 24 pre-up: - - /sbin/ifconfig eth8 up + - /sbin/ifconfig lan6 up - - device: eth9 - headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) + - device: lan8 + headline: lan8 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) auto: true family: inet method: static @@ -105,8 +114,8 @@ network_interfaces: gateway: 172.16.11.254 - - device: eth10 - headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 + - device: lan9 + headline: lan9 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 auto: true family: inet method: static @@ -115,8 +124,8 @@ network_interfaces: gateway: 172.16.13.254 - - device: eth11 - headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) + - device: lan7 + headline: lan7 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) auto: true family: inet method: static @@ -131,14 +140,14 @@ network_interfaces: # apt-get install ifenslave # ---------- - device: bond0 - headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4 + headline: bond0 - LAG (Link Aggregation) on devices lan2 and lan10 auto: true family: inet method: static address: 10.1.9.254 netmask: 24 bond: - slaves: eth0 eth4 + slaves: lan2 lan10 # Mode 4 (802.3ad) # # also possible here: @@ -180,8 +189,8 @@ network_interfaces: # # apt-get install ifenslave # ---------- - - device: bond1 - headline: bond1 - LAG (Link Aggregation) on devices eth3 and eth5 - Main Network Stockhausen + - device: sfp0 + headline: sfp0 - Main Network Stockhausen auto: true family: inet method: static @@ -191,24 +200,24 @@ network_interfaces: - 192.168.11.1 - 192.168.10.3 search: ga.netz ga.intra - bond: - slaves: eth3 eth5 - # Mode 4 (802.3ad) - # - # also possible here: - # - Mode 5: balance-tlb - # - Mode 6: balance-alb - mode: 4 - miimon: 100 - lacp-rate: 1 - ad-select: count - downdelay: 200 - updelay: 200 + #bond: + # slaves: lan3 lan11 + # # Mode 4 (802.3ad) + # # + # # also possible here: + # # - Mode 5: balance-tlb + # # - Mode 6: balance-alb + # mode: 4 + # miimon: 100 + # lacp-rate: 1 + # ad-select: count + # downdelay: 200 + # updelay: 200 post-up: # VLAN 121 - for Ubiquiti UniFi Accesspoints - - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 + - /sbin/ip link add link sfp0 name sfp0.121 type vlan id 121 # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests - - /sbin/ip link add link bond1 name bond1.131 type vlan id 131 + - /sbin/ip link add link sfp0 name sfp0.131 type vlan id 131 # Route ??? - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 # Route to management network campus @@ -219,8 +228,8 @@ network_interfaces: - /sbin/ip route add 192.168.73.0/24 via 192.168.11.72 - - device: bond1.121 - headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET + - device: sfp0.121 + headline: sfp0.121 - VLAN 121 on interface sfp0 for Ubiquiti UniFi Accesspoints Guest NET auto: true family: inet method: static @@ -228,8 +237,8 @@ network_interfaces: netmask: 20 - - device: bond1.131 - headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET + - device: sfp0.131 + headline: sfp0.131 - VLAN 131 on interface sfp0 for Ubiquiti UniFi Accesspoints private NET auto: true family: inet method: static @@ -237,8 +246,8 @@ network_interfaces: netmask: 20 - - device: bond1:ns - headline: bond1:ns - Alias IP on bond1 device for Nameservice + - device: sfp0:ns + headline: sfp0:ns - Alias IP on sfp0 device for Nameservice auto: true family: inet method: static @@ -246,8 +255,8 @@ network_interfaces: netmask: 32 - - device: bond1:1 - headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network + - device: sfp0:1 + headline: sfp0:1 - Alias IP on sfp0 device for (depricated) Management Network auto: true family: inet method: static @@ -255,8 +264,8 @@ network_interfaces: netmask: 24 - - device: bond1:ap - headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints + - device: sfp0:ap + headline: sfp0:ap - Alias IP on sfp0 device for Network Accesspoints auto: true family: inet method: static @@ -282,8 +291,8 @@ network_interfaces: - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 - - device: bond1:ipmi - headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen + - device: sfp0:ipmi + headline: sfp0:ipmi - Alias IP on sfp0 for IPMI Addresses Servr Stockhausen auto: true family: inet method: static diff --git a/host_vars/ga-st-gw.ga.netz.yml.00 b/host_vars/ga-st-gw.ga.netz.yml.00 new file mode 100644 index 0000000..67745f7 --- /dev/null +++ b/host_vars/ga-st-gw.ga.netz.yml.00 @@ -0,0 +1,583 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: eth2 + headline: eth2 - Uplink static line (radio) to Altenschlirf + auto: true + family: inet + method: static + address: 172.16.111.254 + netmask: 24 + up: + # - For management Antennas + - /sbin/ip link add link eth2 name eth2.111 type vlan id 111 + post-up: + # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) + # - + # - Telefon Altenshlirf + - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253 + # User Network Altenshlirf + - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253 + # Management Network Altenschlirf + - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253 + # WLan Router (Accesspoints) Altenshlirf + - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253 + # # WLan Networks Altenshlirf + - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 + # DSL via Fritzbox Altenschlirf + - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 + # - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network) + - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 + # - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network) + - /sbin/ip route add 10.231.0.0/20 via 172.16.111.253 + # VPN home Network Altenschlirf + # + - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 + # VPN 'gw-ckubu' Network Altenschlirf + # + - /sbin/ip route add 10.1.10.0/24 via 172.16.111.253 + # private networks 'ckubu' + # + # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), + # so we route them back to that gateway.. + - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253 + - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 + + + - device: eth2.111 + headline: eth2.111 - network 10.10.111.0 (management antennas) + auto: true + family: inet + method: static + address: 10.10.111.254 + netmask: 24 + + + - device: eth8 + headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen + auto: false + family: inet + method: manual + up: + - /sbin/ip link add link eth8 name eth8.211 type vlan id 211 + + + - device: eth8.211 + headline: eth8.211 - Network Telefons Stockhausen + auto: true + family: inet + method: static + # Note: + # !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon). + # This LANCom Router IS NOT pngable !! + address: 172.16.211.1 + netmask: 24 + pre-up: + - /sbin/ifconfig eth8 up + + + - device: eth9 + headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) + auto: true + family: inet + method: static + address: 172.16.11.1 + netmask: 24 + gateway: 172.16.11.254 + + + - device: eth10 + headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 + auto: true + family: inet + method: static + address: 172.16.13.1 + netmask: 24 + gateway: 172.16.13.254 + + + - device: eth11 + headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) + auto: true + family: inet + method: static + address: 172.16.12.1 + netmask: 24 + gateway: 172.16.12.254 + + + # ---------- + # Note: Install the 'ifenslave' package, necessary to enable bonding: + # + # apt-get install ifenslave + # ---------- + - device: bond0 + headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4 + auto: true + family: inet + method: static + address: 10.1.9.254 + netmask: 24 + bond: + slaves: eth0 eth4 + # Mode 4 (802.3ad) + # + # also possible here: + # - Mode 5: balance-tlb + # - Mode 6: balance-alb + mode: 4 + miimon: 100 + lacp-rate: 1 + ad-select: count + downdelay: 200 + updelay: 200 + post-up: + # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24 + - /sbin/ip link add link bond0 name bond0.11 type vlan id 11 + # VLAN 78 for network Georgshaus 192.168.78.0/24 + - /sbin/ip link add link bond0 name bond0.78 type vlan id 78 + + + - device: bond0.11 + headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen) + auto: true + family: inet + method: static + address: 10.10.11.254 + netmask: 24 + + + - device: bond0.78 + headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?) + auto: true + family: inet + method: static + address: 192.168.78.254 + netmask: 24 + + + # ---------- + # Note: Install the 'ifenslave' package, necessary to enable bonding: + # + # apt-get install ifenslave + # ---------- + - device: bond1 + headline: bond1 - LAG (Link Aggregation) on devices eth3 and eth5 - Main Network Stockhausen + auto: true + family: inet + method: static + address: 192.168.11.254 + netmask: 24 + nameservers: + - 192.168.11.1 + - 192.168.10.3 + search: ga.netz ga.intra + bond: + slaves: eth3 eth5 + # Mode 4 (802.3ad) + # + # also possible here: + # - Mode 5: balance-tlb + # - Mode 6: balance-alb + mode: 4 + miimon: 100 + lacp-rate: 1 + ad-select: count + downdelay: 200 + updelay: 200 + post-up: + # VLAN 121 - for Ubiquiti UniFi Accesspoints + - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 + # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests + - /sbin/ip link add link bond1 name bond1.131 type vlan id 131 + # Route ??? + - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 + # Route to management network campus + - /sbin/ip route add 10.72.1.0/24 via 192.168.11.72 + # Route to LAN campus + - /sbin/ip route add 192.168.72.0/24 via 192.168.11.72 + # Route to WLAN campus + - /sbin/ip route add 192.168.73.0/24 via 192.168.11.72 + + + - device: bond1.121 + headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET + auto: true + family: inet + method: static + address: 10.121.15.254 + netmask: 20 + + + - device: bond1.131 + headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET + auto: true + family: inet + method: static + address: 10.131.15.254 + netmask: 20 + + + - device: bond1:ns + headline: bond1:ns - Alias IP on bond1 device for Nameservice + auto: true + family: inet + method: static + address: 192.168.11.1 + netmask: 32 + + + - device: bond1:1 + headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network + auto: true + family: inet + method: static + address: 10.10.9.254 + netmask: 24 + + + - device: bond1:ap + headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints + auto: true + family: inet + method: static + address: 10.112.1.254 + netmask: 24 + post-up: + # - Wireless Networks routed through appropriate Accesspoints + # - + - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1 + - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2 + - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3 + - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4 + - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5 + - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6 + - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7 + - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8 + - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9 + - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10 + - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11 + - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12 + - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13 + - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14 + - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 + + + - device: bond1:ipmi + headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen + auto: true + family: inet + method: static + address: 10.11.11.254 + netmask: 24 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - ga.netz + - ga.intra + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 192.168.10.1 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: maadmin + password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + + - name: wadmin + password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + - maadmin + - wadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Gateway Stockhausen' + - 192.168.11.1 + - '# Domain Controller Stockhausen' + - 192.168.10.3 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - '# Domain Controller Altenschlirf' + - 192.168.10.3 + - 192.168.10.6 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + - '# Mail Relay System' + - 192.168.10.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - internaldns + +bind9_transfer_source: !!str "192.168.11.1" +bind9_notify_source: !!str "192.168.11.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/gw-fm.oopen.de.yml b/host_vars/gw-fm.oopen.de.yml new file mode 100644 index 0000000..b298a32 --- /dev/null +++ b/host_vars/gw-fm.oopen.de.yml @@ -0,0 +1,234 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink DSL via Fritz!Box + auto: true + family: inet + method: static + address: 172.16.222.1 + netmask: 24 + gateway: 172.16.222.254 + + + - device: eno2 + headline: eno2 - LAN + auto: true + family: inet + method: static + address: 192.168.222.254 + netmask: 24 + + + - device: eno2:ns + headline: eno2:ns - Alias on eno2 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.222.1 + netmask: 32 + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - fm.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 172.16.222.254 + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 18ce5e0..99d2dda 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -384,6 +384,7 @@ samba_user: groups: - buero - beratung + - verwaltung password: '20_simon_18!' - name: ute diff --git a/hosts b/hosts index b62fba1..8ece706 100644 --- a/hosts +++ b/hosts @@ -44,6 +44,7 @@ gw-akb.oopen.de 172.16.82.2 gw-dissens.oopen.de gw-ebs.oopen.de +gw-fm.oopen.de gw-elster.oopen.de gw-fhxb.oopen.de gw-ckubu.local.netz @@ -61,6 +62,7 @@ gw-kb.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz file-ebs.ebs.netz +file-fm.fm.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz @@ -142,6 +144,9 @@ o13-web.oopen.de # Freiheit für daniela o14.oopen.de +# VBRG - Opferhilfefonds +o15.oopen.de + o17.oopen.de test.mx.oopen.de @@ -344,6 +349,9 @@ o13-git.oopen.de # Freiheit für daniela o14.oopen.de +# VBRG - Opferhilfefonds +o15.oopen.de + o17.oopen.de test.mx.oopen.de test.mariadb.oopen.de @@ -536,6 +544,11 @@ file-dissens.dissens.netz gw-ebs.oopen.de file-ebs.ebs.netz +# Faire Mobilitaet +gw-fm.oopen.de +file-fm.fm.netz + + # Kanzlei Elster Jena gw-elster.oopen.de @@ -1359,6 +1372,7 @@ at-10-neu.ak.netz bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz file-ebs.ebs.netz +file-fm.fm.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz @@ -1374,6 +1388,7 @@ file-blkr.blkr.netz file-dissens.dissens.netz file-ah.kanzlei-kiel.netz file-ebs.ebs.netz +file-fm.fm.netz file-fhxb.fhxb.netz @@ -1642,6 +1657,7 @@ at-10-neu.ak.netz bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz file-ebs.ebs.netz +file-fm.fm.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz @@ -1881,6 +1897,7 @@ at-10-neu.ak.netz bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz file-ebs.ebs.netz +file-fm.fm.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz @@ -1904,6 +1921,7 @@ gw-b3.oopen.de gw-d11.oopen.de gw-dissens.oopen.de gw-ebs.oopen.de +gw-fm.oopen.de gw-elster.oopen.de gw-blkr.oopen.de gw-ak.oopen.de